VULNERABILITY DISCLOSURE POLICY

PLEASE READ THIS POLICY CAREFULLY, AS IT DESCRIBES HOW TO REPORT SECURITY VULNERABILITIES TO VEBONIX.

Effective date: August 23, 2025

1. PURPOSE

VEBONIX encourages security researchers to report potential security issues responsibly. If your disclosure meets the guidelines below, we will not pursue legal action related to your research.

2. SCOPE

Only VEBONIX-owned domains and services are in scope. Hosted customer content and third‑party plugins/services are out of scope.

3. OUT‑OF‑SCOPE / NON‑QUALIFYING

• DoS/DDoS, brute force, or user enumeration
• Physical attacks or social engineering (including phishing)
• CRIME/BEAST and logout CSRF
• Banner/version disclosure, missing SPF records
• Directory listing without direct sensitive data exposure
• Issues dependent on outdated browsers
• Automated scanner reports without a validated impact

4. QUALIFYING VULNERABILITIES

• Cross‑Site Scripting (XSS)
• Authentication/Authorization flaws
• Cross‑Site Request Forgery (CSRF)
• Remote Code Execution (RCE)
• SQL Injection
• Directory Traversal
• Clickjacking
• Privilege Escalation

5. REPORT QUALITY

• Detailed steps to reproduce (URLs, roles, payloads).
• Clear impact explanation with consistent PoC.
• Logs, screenshots, or short videos where helpful.

6. CONFIDENTIALITY

Information gathered through testing is confidential and may only be used for this program. Do not disclose vulnerabilities or data prior to remediation without VEBONIX’s written consent.

7. LEGAL

By participating, you agree to adhere to applicable laws, VEBONIX’s Legal Agreements and Privacy Policy. Your testing must not disrupt services or compromise data you do not own.

8. HOW TO REPORT

Email [email protected] with a thorough description, reproduction steps, affected endpoints, and any relevant PoC. We will triage and respond as quickly as practicable.